McAfee Host Intrusion Prevention

What is McAfee Host Intrusion Prevention? (from McAfee)

McAfee Host Intrusion Prevention for Desktops safeguards your business against complex security threats that may otherwise be unintentionally introduced or allowed by desktops and laptops. Host Intrusion Prevention for Desktops is easy to deploy, configure, and manage. Three layers of protection (signature analysis, be... Read more

Overview

McAfee Host Intrusion Prevention is a program developed by McAfee. The most used version is 8.00.0402, with over 98% of all installations currently using this version. Upon installation and setup, it defines an auto-start registry entry which makes this program run on each Windows boot for all user logins. It adds a background controller service that is set to automatically run. Delaying the start of this service is possible through the service manager. The main program executable is mcafeefire.exe. The software installer includes 82 files and is usually about 37.95 MB (39,795,346 bytes). In comparison to the total number of users, most PCs are running the OS Windows 7 (SP1) as well as Windows 10. While about 61% of users of McAfee Host Intrusion Prevention come from the United States, it is also popular in India and Germany.

Behaviors exhibited

FireSvc.exe runs as a service named 'McAfee Host Intrusion Prevention Service' (enterceptAgent) "Host-based intrusion prevention component that blocks exploits and hacks in real-time, including malicious buffer overflow code execution and privilege escalations. If this service is disabled or stopped, the system is no longer protected against intrusions.".

Startup File (All Users Run)

FireTray.exe is loaded in the all users (HKLM) registry as a startup file name 'McAfee Host Intrusion Prevention Tray' which loads as "C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe".